What does it require to register domain names? Not much. Buying domain names is easy and anyone, including cybercriminals, can do it. In part because there are no special requirements, an interesting surge in domain registration often occurs following newsworthy events. This behavior is typically detected by newly registered domains databases and typosquatting data feeds . Let’s take a look at a few examples.

4 Newsworthy Events That Led to a Surge in Typo Domains

1. Coronavirus Pandemic

As most of the global population retreated to their homes to curb the spread of COVID-19, there was a rise detected in coronavirus-themed domain registrations. From 21 January to 17 February 2020, a total of 750 coronavirus-themed domains were registered, some of which in bulk.

While this volume of newly registered domains is already alarming, the steady increase in the following month raised even more of a red flag—the number of coronavirus-themed domains reached 49,437 in March 2020 alone . Here are a few of them:

newscoronavirusau[.]com

factsnotfearcorona[.]com

coronavirusdonations[.]site

coronavirusdonations[.]org

coronavirusdonations[.]website

The likely victims: Everyone looking for new information and avenues to donate could fall victim to coronavirus-themed scams and phishing attempts. The World Health Organization (WHO) warned the public of phishing emails and websites.

2. Demand for N95 Masks

The COVID-19 pandemic also resulted in the shortage of several essentials, such as toilet paper, alcohol, and N95 masks. As the supply of N95 masks dwindled in January 2020, the volume of N95 mask-related bulk domain registrations surged. Among the newly registered domains seen were those possibly connected to suspicious activity, including:

coronan95masks[.]com

coronavirusn95mask[.]com

buyn95coronavirusmask[.]com

3plyn95allsurgicalequipments[.]com

buyn95maskcoronavirus[.]com

coronavirusn95facemask[.]com

The likely victims: People looking for N95 mask suppliers are likely to become the victims of these recently registered domains, should they turn out to be fraudulent. An innocent search using the terms “where to buy N95 masks” or “N95 face mask supplier” could lead users to a malicious site.

3. CARES Act

In response to the economic consequences of the COVID-19 pandemic, governments offered money for small businesses and laid-off workers. One initiative is the U.S. Coronavirus Aid, Relief, and Economic Security (CARES) Act , which set the Paycheck Protection Program (PPP) in motion.

Three days after the U.S. Congress passed the Act on 27 March 2020, our typosquatting protection database started detecting newly registered domains that seemingly targeted potential recipients of funds related to the CARES Act and PPP. The government did not own these domains.

covid19stimulus[.]org

covid-stimulus[.]icu

getyourstimuluscheck[.]info

getyourstimuluscheck[.]org

caresactcompliance[.]biz

caresactcompliance[.]net

As we dug deeper into the CARES Act- and PPP-related domain registrations, we found that several may have been used in phishing campaigns .

The likely victims: Recently registered domains related to the CARES Act, PPP, and stimulus packages can affect anyone who has already suffered financially. In hopes of benefiting from the economic aid, people could eagerly open a phishing email and click a malicious link or download a harmful file.

4. Settlement Cases

Banks and other financial institutions have long been favored as typosquatting victims. One could, for instance, find hundreds of domains that resemble that of the Bank of America website.

bankofamericaa-online-connect-account-verification[.]com

bankofamericaa-online-connect-account-verification[.]net

bankofamericaa-online-connect-account-verification[.]org

More recently, our databases detected new domain registrations related to settlement cases like the one of Bank of America and Federico Galavis. Aside from GalavisBankofAmericaSettlement[.]com, the official settlement agreement website, typosquatting domains such as galvisbankofamericasettlement[.]com, galavisbankofamericasetlement[.]com, and galavisbankofamericasettement[.]com were found.

We also detected suspicious domains related to the Wish[.]com settlement case.

The likely victims: Threat actors could be looking to scam claimants, so they can get the settlement amounts themselves. As such, the likely victims of typosquatting domains riding on settlement cases are the claimants or clients of the organizations involved.

The registrations of news-related domains when done in bad faith can be a real problem. Newly registered and typosquatting databases can help detect such events and other look-alike domains that could be part of malicious or scamful activities.

